摘要
提出了一种有效的、在攻击目的端检测DDoS攻击的方法。研究目的是为了在花费较少代价的情况下,早期检测到攻击的存在,记录可疑的攻击包。对基于TCP协议的DDoS攻击而言,从受害端进行观察,会发现很多没有确认的TCP报文段。在每个时间间隔?t,计算未确认的报文段个数与总报文段个数的比值,形成基于时间的统计序列,再用经过改进的非参数递归CUSUM(cumulative sum)算法在线、快速检测DDoS攻击,并在检测的同时记录可疑的攻击包。经实验验证,该检测算法不仅快速,而且具有更低的误报率,能够适应更复杂的网络检测环境。另外,还能为攻击的分析取证和追踪提供一定帮助。
An effective DDoS attack detection method on target-end network was proposed. The main goal was to detect attack in early stages with few expenditure, and record the suspicious packets in the same time. For DDoS attacks which based on TCP, many unacknowledged segments will be observed in victim end. In every time period △t, calculated the ratio of the number of unacknowledged segments and the number of all segments. Then, the statistical sequence based on time came into being. After that, an improved non-parameter recursive CUSUM algorithm was used to detect attack efficiently on line. In this procedure, the suspicious packets were also recorded. Experiments prove that this algorithm is fast and efficient. It has low false-positive rate and could adapt to more complex network environments. In addition, it is helpful to attack analysis and tracing.
出处
《通信学报》
EI
CSCD
北大核心
2008年第6期126-132,共7页
Journal on Communications
基金
国家高技术研究发展计划(“863”计划)基金资助项目(2003AA142010)
国家自然科学基金资助项目(60473093)
江苏省高技术研究计划基金资助项目(BG2004030)~~
